AMENDMENTS TO THE CLAIMS 



1 . (Original) A method for access management in a distributed data processing 
system, the method comprising: 

receiving from a client a request to access a resource protected by an application service 
provider (ASP) aggregator service, wherein the ASP aggregator service provides 
single-sign-on functionality for a plurality of net-sourced applications, wherein at 
least one of the net-sourced applications is hosted by an ASP; 

in response to a determination that the client or a user of the client has not been properly 
authenticated by the ASP aggregator service for a current client session, requiring 
the client or the user of the client to successfully complete an authentication 
process; and 

sending to the client a response to the request received from the client, wherein the 

response is accompanied by an aggregator token, wherein the aggregator token 
comprises a logon resource identifier. 

2. (Original) The method of claim 1 wherein a logon resource identified by the 
logon resource identifier prompts the client or a user of the client to complete an authentication 
operation. 

3. (Original) The method of claim 1 wherein the logon resource identifier is a 
Uniform Resource Identifier (UPJ). 

4. (Original) The method of claim 3 wherein the logon resource identifier is a 
Uniform Resource Locator, and the logon resource is a logon Web page. 

5. (Original) The method of claim 1 further comprising: 

receiving from the client a request to access a net-sourced application hosted by an ASP; 

extracting a logon resource identifier from an aggregator token that accompanies the 

request, wherein the aggregator token originated from the ASP aggregator service, 
wherein the ASP aggregator service provides single-sign-on functionality for a 
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plurality of net-sourced applications, wherein at least one of the net-sourced 
applications is the net-sourced application hosted by the ASP; and 
sending to the client a response indicating the logon resource identifier as a redirectable 
destination. 

6. (Original) A method for access management in a distributed data processing 
system, the method comprising: 

receiving from a client a request to access a net-sourced application hosted by an 
application service provider (ASP); 

extracting a logon resource identifier from an aggregator token that accompanies the 

request, wherein the aggregator token originated from an ASP aggregator service, 
wherein the ASP aggregator service provides single-sign-on functionality for a 
plurality of net-sourced applications, wherein at least one of the net-sourced 
applications is the net-sourced application hosted by the ASP; and 

sending to the client a response indicating the logon resource identifier as a redirectable 
destination. 

7. (Original) The method of claim 6 further comprising: 

determining that the client or a user of the client has not been properly authenticated prior 
to sending the response to the client. 

8. (Original) The method of claim 7 further comprising: 

determining that the request was not accompanied with a valid application authentication 
token. 

9. (Original) The method of claim 6 where in access for the client to the net- 
sourced application is controlled by the ASP on a subscription basis. 

10. (Original) The method of claim 6 wherein a logon resource identified by the 
logon resource identifier prompts the client or a user of the client to complete an authentication 
operation. 
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1 1 . (Original) The method of claim 6 wherein the logon resource identifier is a 
Uniform Resource Identifier (URI). 

12. (Original) The method of claim 1 1 wherein the logon resource identifier is a 
Uniform Resource Locator, and the logon resource is a logon Web page. 

13. (Original) A method for access management in a distributed data processing 
system, the method comprising: 

receiving from a client a request to access a logon resource identified by a logon resource 
identifier that has been extracted from an aggregator token, wherein access to the 
logon resource is protected by an application service provider (ASP) aggregator 
service, wherein the ASP aggregator service provides single-sign-on functionality 
for a plurality of net-sourced applications; 

requiring the client or the user of the client to successfully complete an authentication 
process associated with the logon resource; 

extracting an origination identifier from the request, wherein the origination identifier 
identifies a net-sourced application that is one of the plurality of net-sourced 
applications; and 

sending a response to the client, wherein the response indicates the origination identifier 
as a redirectable destination. 

14. (Original) The method of claim 13 wherein the logon resource identifier is a 
Uniform Resource Identifier (URI). 

15. (Original) The method of claim 14 wherein the logon resource identifier is a 
Uniform Resource Locator, and the logon resource is a logon Web page. 

16. (Original) An apparatus for access management in a distributed data 
processing system, the apparatus comprising: 

means for receiving from a client a request to access a resource protected by an 
application service provider (ASP) aggregator service, wherein the ASP 
aggregator service provides single-sign-on functionality for a plurality of net- 
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sourced applications, wherein at least one of the net-sourced applications is hosted 
by an ASP; 

means for requiring the client or the user of the client to successfully complete an 

authentication process in response to a determination that the client or a user of 
the client has not been properly authenticated by the ASP aggregator service for a 
current client session; and 

means for sending to the client a response to the request received from the client, wherein 
the response is accompanied by an aggregator token, wherein the aggregator 
token comprises a logon resource identifier. 

17. (Original) The apparatus of claim 16 wherein a logon resource identified by 
the logon resource identifier prompts the client or a user of the client to complete an 
authentication operation. 

18. (Original) The apparatus of claim 16 wherein the logon resource identifier is 
a Uniform Resource Identifier (URI). 

19. (Original) The apparatus of claim 18 wherein the logon resource identifier is 
a Uniform Resource Locator, and the logon resource is a logon Web page. 

20. (Original) The apparatus of claim 16 further comprising: 

means for receiving from the client a request to access a net-sourced application hosted 
by an ASP; 

means for extracting a logon resource identifier from an aggregator token that 

accompanies the request, wherein the aggregator token originated from the ASP 
aggregator service, wherein the ASP aggregator service provides single-sign-on 
functionality for a plurality of net-sourced applications, wherein at least one of the 
net-sourced applications is the net-sourced application hosted by the ASP; and 

means for sending to the client a response indicating the logon resource identifier as a 
redirectable destination. 
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21 . (Original) An apparatus for access management in a distributed data 
processing system, the apparatus comprising: 

means for receiving from a client a request to access a net-sourced application hosted by 
an application service provider (ASP); 

means for extracting a logon resource identifier from an aggregator token that 

accompanies the request, wherein the aggregator token originated from an ASP 
aggregator service, wherein the ASP aggregator service provides single-sign-on 
functionality for a plurality of net-sourced applications, wherein at least one of the 
net-sourced applications is the net-sourced application hosted by the ASP; and 

means for sending to the client a response indicating the logon resource identifier as a 
redirectable destination. 

22. (Original) The apparatus of claim 21 further comprising: 

means for determining that the client or a user of the client has not been properly 
authenticated prior to sending the response to the client. 

23. (Original) The apparatus of claim 22 further comprising: 

means for determining that the request was not accompanied with a valid application 
authentication token. 

24. (Original) The apparatus of claim 21 wherein access for the client to the net- 
sourced application is controlled by the ASP on a subscription basis. 

25. (Original) The apparatus of claim 21 wherein a logon resource identified by 
the logon resource identifier prompts the client or a user of the client to complete an 
authentication operation. 

26. (Original) The apparatus of claim 21 wherein the logon resource identifier is 
a Uniform Resource Identifier (URI). 

27. (Original) The apparatus of claim 26 wherein the logon resource identifier is 
a Uniform Resource Locator, and the logon resource is a logon Web page. 
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28. (Original) An apparatus for access management in a distributed data 
processing system, the apparatus comprising: 

means for receiving from a client a request to access a logon resource identified by a 
logon resource identifier that has been extracted from an aggregator token, 
wherein access to the logon resource is protected by an application service 
provider (ASP) aggregator service, wherein the ASP aggregator service provides 
single-sign-on functionality for a plurality of net-sourced applications; 

means for requiring the client or the user of the client to successfully complete an 
authentication process associated with the logon resource; 

means for extracting an origination identifier from the request, wherein the origination 
identifier identifies a net-sourced application that is one of the plurality of net- 
sourced applications; and 

means for sending a response to the client, wherein the response indicates the origination 
identifier as a redirectable destination. 

29. (Original) The apparatus of claim 28 wherein the logon resource identifier is 
a Uniform Resource Identifier (URI). 

30. (Original) The apparatus of claim 29 wherein the logon resource identifier is 
a Uniform Resource Locator, and the logon resource is a logon Web page. 

3 1 . (Original) A computer program product in a computer readable medium for 
use in a distributed data processing system for managing access to resources, the computer 
program product comprising: 

instructions for receiving from a client a request to access a resource protected by an 
application service provider (ASP) aggregator service, wherein the ASP 
aggregator service provides single-sign-on functionality for a plurality of net- 
sourced applications, wherein at least one of the net-sourced applications is hosted 
by an ASP; 

instructions for requiring the client or the user of the client to successfully complete an 
authentication process in response to a determination that the client or a user of 
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the client has not been properly authenticated by the ASP aggregator service for a 
current client session; and 
instructions for sending to the client a response to the request received from the client, 
wherein the response is accompanied by an aggregator token, wherein the 
aggregator token comprises a logon resource identifier. 

32. (Original) The computer program product of claim 3 1 wherein a logon 
resource identified by the logon resource identifier prompts the client or a user of the client to 
complete an authentication operation. 

33. (Original) The computer program product of claim 3 1 wherein the logon 
resource identifier is a Uniform Resource Locator, and the logon resource is a logon Web page. 

34. (Original) The computer program product of claim 3 1 further comprising: 
instructions for receiving from a client a request to access a net-sourced application 

hosted by an ASP; 

instructions for extracting a logon resource identifier from an aggregator token that 

accompanies the request, wherein the aggregator token originated from an ASP 
aggregator service, wherein the ASP aggregator service provides single-sign-on 
functionality for a plurality of net-sourced applications, wherein at least one of the 
net-sourced applications is the net-sourced application hosted by the ASP; and 

instructions for sending to the client a response indicating the logon resource identifier as 
a redirectable destination. 

35. (Original) A computer program product in a computer readable medium for 
use in a distributed data processing system for managing access to resources, the computer 
program product comprising: 

instructions for receiving from a client a request to access a net-sourced application 
hosted by an application service provider (ASP); 

instructions for extracting a logon resource identifier from an aggregator token that 

accompanies the request, wherein the aggregator token originated from an ASP 
aggregator service, wherein the ASP aggregator service provides single-sign-on 
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functionality for a plurality of net-sourced applications, wherein at least one of the 
net-sourced applications is the net-sourced application hosted by the ASP; and 
instructions for sending to the client a response indicating the logon resource identifier as 
a redirectable destination. 

36. (Original) The computer program product of claim 35 further comprising: 
instructions for determining that the client or a user of the client has not been properly 

authenticated prior to sending the response to the client. 

37. (Original) The computer program product of claim 36 further comprising: 
instructions for determining that the request was not accompanied with a valid 

application authentication token. 

38. (Original) A computer program product in a computer readable medium for 
use in a distributed data processing system for managing access to resources, the computer 
program product comprising: 

instructions for receiving from a client a request to access a logon resource identified by a 
logon resource identifier that has been extracted from an aggregator token, 
wherein access to the logon resource is protected by an application service 
provider (ASP) aggregator service, wherein the ASP aggregator service provides 
single-sign-on functionality for a plurality of net-sourced applications; 

instructions for requiring the client or the user of the client to successfully complete an 
authentication process associated with the logon resource; 

instructions for extracting an origination identifier from the request, wherein the 
origination identifier identifies a net-sourced application that is one of the 
plurality of net-sourced applications; and 

instructions for sending a response to the client, wherein the response indicates the 
origination identifier as a redirectable destination. 
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